Agent Foskett Academy • Microsoft Sentinel • Lesson 1

Lesson 1 — What is Microsoft Sentinel?

Welcome to the first lesson in the Agent Foskett Microsoft Sentinel Academy. In this lesson, we begin with the problem Sentinel is designed to solve: too much security data, too many disconnected systems, and not enough clear investigation context.

Microsoft Sentinel helps security teams collect signals, detect suspicious activity, create incidents, investigate evidence and automate response across Microsoft and non-Microsoft environments.

Sentinel turns security data into operational SOC workflows.
Agent Foskett Microsoft Sentinel Academy Lesson 1
What you will learn

This lesson explains Sentinel in plain English before we start configuring connectors, rules, incidents and automation.

What Microsoft Sentinel is
What SIEM and SOAR mean
How Sentinel fits beside Defender XDR
How Sentinel supports a modern SOC

Learning objectives

After completing this lesson, you should be able to explain Microsoft Sentinel at a practical SOC level.

  • Describe what Microsoft Sentinel is.
  • Explain the difference between SIEM and SOAR.
  • Understand why organisations use Sentinel.
  • Explain how Sentinel works with Microsoft Defender XDR.
  • Identify the core Sentinel components used in later lessons.

The security problem

Most organisations do not have a shortage of logs. They have logs everywhere: Microsoft 365, Azure, endpoints, firewalls, VPNs, identity systems, servers, cloud platforms and third-party applications.

The real problem is turning all of that telemetry into useful detection, investigation and response.

What is Microsoft Sentinel?

Microsoft Sentinel is Microsoft's cloud-native SIEM and SOAR platform. It collects security data from many systems, analyses that data for suspicious activity, creates incidents for analysts, supports threat hunting with KQL, and can automate response actions using playbooks.

Agent Foskett tip:

Think of Sentinel as the place where separate security signals become an investigation. Defender might detect a phishing email, Entra ID might show a risky sign-in, and a firewall might show unusual traffic. Sentinel helps bring those signals into one operational story.

What is a SIEM?

A SIEM, or Security Information and Event Management platform, collects logs from multiple systems, stores them centrally, analyses them, and helps security teams investigate threats.

Firewalls Servers Microsoft 365 Azure VPN Linux Third-party apps │ ▼ Microsoft Sentinel

What is SOAR?

SOAR means Security Orchestration, Automation and Response. This is the part of Sentinel that helps a SOC automate repeatable actions and standardise response workflows.

  • Notify analysts when important incidents are created.
  • Enrich incidents with extra context.
  • Create tickets or send Teams messages.
  • Trigger Logic Apps playbooks.
  • Support repeatable response actions.

How Sentinel fits into Microsoft Security

Sentinel does not replace Microsoft Defender XDR. It extends the investigation view. Defender XDR is excellent at protecting Microsoft workloads and correlating Microsoft security signals. Sentinel can bring Microsoft and non-Microsoft data together into a broader SIEM and SOAR workflow.

Users │ Microsoft 365 + Azure + Endpoints + Third-party systems │ Microsoft Defender XDR and other security tools │ Microsoft Sentinel │ Security Operations Centre │ Incident response, hunting and automation

Sentinel vs Microsoft Defender XDR

This is one of the most important concepts for beginners. Sentinel and Defender XDR work together, but they are not the same thing.

Microsoft Defender XDR Microsoft Sentinel
Protects and correlates Microsoft security workloads such as endpoint, identity, email and cloud apps. Collects and correlates Microsoft and third-party security data across the wider environment.
Raises alerts and incidents from Microsoft Defender products. Creates SIEM incidents using analytics rules, connectors, automation and cross-platform telemetry.
Best for Microsoft XDR investigation and response. Best for enterprise SIEM, SOAR, threat hunting, dashboards and wider SOC operations.

Real-world example

Defender XDR detects a phishing email. That is useful, but it may not tell the whole story. Sentinel can help correlate additional signals such as risky sign-ins, VPN activity, firewall logs, endpoint events and threat intelligence matches.

Instead of five separate clues, the analyst gets one clearer incident path.

Common beginner mistake

A common mistake is thinking Sentinel is just another alert portal. It is better to think of it as a security operations platform.

The goal is not simply to collect more alerts. The goal is to build better detection logic, reduce noise, investigate faster and respond consistently.

Key Sentinel components

ComponentWhat it doesWhere we cover it
Log Analytics WorkspaceStores the data Sentinel queries and analyses.Lesson 3
Data ConnectorsBring Microsoft and third-party telemetry into Sentinel.Lesson 4
IncidentsGroup alerts and evidence for analyst investigation.Lesson 5
Analytics RulesTurn KQL and detection logic into alerts and incidents.Lesson 6
WorkbooksCreate dashboards and operational views.Later lesson
PlaybooksAutomate response actions using Logic Apps.Later lesson
HuntingUse KQL to proactively search for suspicious activity.Later lesson
Lesson summary
Microsoft Sentinel is a cloud-native SIEM and SOAR platform that helps security teams collect data, detect threats, investigate incidents, hunt with KQL and automate response across Microsoft and third-party environments.
Sentinel Academy Home

Related Agent Foskett learning

These links connect Lesson 1 back into the wider Agent Foskett Academy and Microsoft security topic cluster.

What is Microsoft Sentinel?

Microsoft Sentinel is Microsoft's cloud-native SIEM and SOAR platform for security operations, threat detection, incident investigation, KQL hunting, analytics rules, automation and response.

Microsoft Sentinel Lesson 1

This Agent Foskett Microsoft Sentinel Academy lesson explains SIEM, SOAR, Microsoft Defender XDR integration, Log Analytics, data connectors, incidents, analytics rules and SOC workflows.